The CrowdStrike incident, which released a faulty Falcon sensor update that caused disruptions to millions of Microsoft systems, also opened the floodgates for cybercriminals. They wasted no time in exploiting the chaos in several companies that use Microsoft systems and managed to distribute a malicious ZIP archive called “crowdstrike-hotfix.zip”. The ZIP archive distributed by cybercriminals was used mostly in Latin America. The unfortunate companies received a ZIP archive containing instructions in Spanish to automate system recovery by updating the content. The user had to run the Setup.exe file to start the patch installation. Once the file was executed, the Setup.exe loaded and executed the first stage of the HijackLoader called maidenhair.cfg. In reality, the file contains data to execute the RemCos payload.
RemCos is a Trojan that allows cybercriminals to remotely access (backdoor) the system after infecting it and, at a later time, breach sensitive data. This is the first time that cybercriminals have directly exploited a vulnerability in Falcon’s content update to target CrowdStrike customers in Latin America. CrowdStrike Intelligence has recommended that all its customers ensure that the update files actually come from their company and contact the support team through official CrowdStrike channels if they have any concerns.
